So welcome, DEF CON 21. Last year was DEF CON 20. This is 21. Welcome. We thought about
calling it DEF CON 20++. So last year, surrounding the badges, there's always this little bit
of panic here. So you guys aren't getting any audio, are you? So this is me saying basically
this is my empty lanyard. This was Wednesday afternoon last year right before the conference
started and me holding up the lanyards and saying, yeah, where's my badges? Where are
they? That's the kind of stress and panic that usually surrounds the creation process
with the DEF CON badges. We try to keep pretty tight security because every year we have
people that try to figure out where we're going to fabricate. We've had people contact
the PCB fab houses that we've used before and actually social engineered them into making
a set of badges for themselves.
We've had people contact the PCB houses post CON and get Uber badges fabricated. So it's
been quite an adventure trying to maintain security just around the badges themselves
and with a security conference, it's kind of ‑‑ you know, it's not really malicious
per se. It's more of a trophy and a demonstration of skill. But, you know, it's fun stuff.
So this year, I've had quite a few discussions with Jeff, Dark Tangent.
How many of you have been to DEF CON for more than five years? So the noobs outnumber the
seasoned vets here by quite a number based on the hands that you guys have been raising.
So one of the things that you'll notice with the DEF CON iconography is we've traditionally
had ‑‑ we've traditionally had a series of three what I call PIPs associated with
us. Which are the Rotary Diagrams. We've traditionally had a series of three what I call PIPs associated with us, which are the Rotary Diagrams.
Those of you in high school, you know what that is, right?
So if you see the goon badges, the Rotary Dial actually is a brass knuckle.
So ‑‑ hello. So the Rotary ‑‑ are you getting this? It sounds like when I talk,
it cuts out. The Rotary Dial was part of our culture because back in the day when we didn't
have yield internets, we were all using BBSs and phone lines. And as a poor kid on a car
in a Commodore 64 with a 300‑baud modem, the only way you could connect to anybody
else was to dial up. And so it suddenly became valuable to get these sprint and MCI codes
to be able to reach out and touch your friends, you know, on FIDO net and all these other
BBSs. So it became a really big part of hacker culture to be able to get free long distance.
The smiley face with the skull and crossbones has become kind of ubiquitous with DEF CON
as well. And kind of our traditional symbol. It kind of ties into that. It's kind of a
whole piracy security aspect. And then, of course, the floppy disk. And, again, all you
high school guys out there, you know what that is, right? And then it's a later cousin,
the click, click, click, click disk ‑‑ oh, wait, I mean zip disk. You guys all remember
those, right? How many of you have a pile of those somewhere in a back closet? Anybody
still using one? I'm sorry. So I talked to ‑‑ I was talking to Jeff,
and I said, you know, we've got these symbols that are like ‑‑ that are on our lanyards,
they're on our programs, they're on everything, and half of them haven't really kept up with
the times. It's more just a tradition. We need a fourth. We need to round out the trifecta
here. And so I asked Jeff's permission to introduce a new symbol that will become part
of the DEF CON iconography. And I did this pre‑all of the Snowden garbage that's going
on right now, which is really scary that it happened. So I asked Jeff, and he said, you
know, what happened on the timing? And so I've introduced the keyhole. Now, when I
went to Jeff with the keyhole, I said, I think it's timeless. And it fits in several different
aspects of our hacker culture. I said, first of all, we've got physical security. We do
the lock picking stuff. The lock is indicative of that. Locks and keys and keyholes are also
usually represented to represent cryptography. So I think that we've got the crypto aspect.
And I said, they're also ‑‑
It's a fictitious observation a lot of times, peeking through the keyhole, listening at
the keyhole. A lot of mystery novels you'll see will have the magnifying glass and then
a keyhole and the guy up there, or you'll see the eyeball peeking through. So I thought
that it was appropriate to introduce. And so from this point forward, when we do all
of our designs and everything else, instead of the three circle symbols, we will have
the fourth. So you guys are really quiet.
.
So another tradition that I'm going to break. Side tangent. So I kind of pictured
this year as you know those magicians famous secrets revealed where the dude wore the stupid
hockey mask and told how all the magic tricks were done on like a cable show. And he did
that so that the same magicians couldn't keep reusing the old crap over and over again.
And this year with this breaking of traditions was kind of my foray into, okay, I've been
doing a lot of this stuff for many, many years for DEF CON now, but my personal challenge
is to try and best myself every year with badge design, crypto, game design, and all
the things that I touch. And one of the ways I'm motivating myself to do some really good
things moving forward is to do this as kind of my DEF CON's greatest secrets revealed
so that I can't keep pulling the same old stuff out and keep retreading. Because if
I think it's a cop out. So one of the things that we also never do every year is we always
hold the Uber badge and information regarding the Uber badge back until the last day of
the conference on Sunday when they're awarded. How many of you have no concept of what the
Uber badge is at DEF CON? Okay. So when you attend DEF CON, you get badges that basically
say I paid for the conference. They say what level you are. And you'll hear us say human
and inhuman. That's because the general attendance or general populace are referred to as humans
and everyone else are inhumans. That would be vendors, the press, the speakers. I'm getting
there with the press. Just wait. And so you have the human and inhuman. But you also have
a very special badge every year that is known as the Uber badge. Now, we like DEF CON to
be a very interactive conference. It's more ‑‑ it's a put up or shut up place. It's like
everybody talks a big game. Everybody is hack to Gibson, you know, and own, you know,
everyone has trained with Bruce Lee that does martial arts, right? So we like to have
audience participation. We have more contests than I believe any conference. At different
points we have between 40 and 80 contests running. Some of them are incredibly difficult
and challenging. Some are just for fun. And you'll see them going on as we go. You may
have noticed some of the crypto that's involved on the graphics on the floor out and in the
program and in your lanyards. So if you come to DEF CON and you compete in what we call
a badge competition, which means a competition that warrants enough effort and skill, you
are awarded a black Uber badge. And that is free entrance into DEF CON for the rest of
your life. To give you an idea how rare they are, last year we had roughly 15,000 people
attend and we gave out about 15 Uber badges. So it's a very elite club to have a black
Uber badge. It's more bragging rights in the community than anything. But it's kind of
a token of appreciation for people.
People who share or demonstrate skill. But the Uber badge, because it's awarded at the
end of the conference, you usually don't get to see them or know anything about them until
Sunday at the closing ceremonies. And you'll see people that have Uber badges will often
wear them from that point forward. So you'll see some folks that have badges that look
like they don't match within the theme of a year. That's probably an Uber badge from
previous years. Excuse me. I'm going to grab some water.
So breaking with another tradition, I said, hey, Jeff, I want to show the Uber badge on
Thursday. He's like, man, what are you doing to me, Ryan? He's like, you're adding keyholes.
You're going to want to show the Uber badge. You didn't dye your hair this year. You're
not wearing a hat. He's like, I just ‑‑ the world is changing, I guess.
So if you've noticed on your map, there is a room listed as 1057. That is a room that
I will be in and I will have the badges on display for people to handle and look at.
We will go into what they are later on. Before I move forward in that, the final
interest ‑‑ I'm getting feedback here. So the last thing that I asked Jeff ‑‑ and
this is a doozy, and I just thought, man, there's no way in hell he's going to go for
this. Those of you came here expecting an electronic badge this year, this is my electronic,
electronic. I wanted to do a TikTok cycle on badge design where I do a year electronic
and a year non-electronic. So this one is kind of faux electronic in some ways. It is
a PCB. But the reason I wanted to do that is it becomes passe. You go to other conferences
now and everybody's got a damn electronic badge. We started with the blinky LEDs and
we moved up from there all the way to last year where we had a processor with 832 bit
cores on a single die with a propeller chip. So I don't want it to get people come expecting
oh, where's my electronic badge because for my competitions if you know what to expect
it gives you an unfair advantage to those who are new. And ironically, the year that
I did the titanium badges that were non-electronic, I had far greater participation by the attendees
in the competition than I did last year with the electronic badges. And I asked people
that.
And it appears as though I had a higher participation in the competition than I did last year with
the electronic badges. People just don't want to mess with the electronics at the conference.
It's a very small subset, about 10 percent. Because if you're not familiar with an architecture
or the language or the tool chain for a new chip, you don't want to come to DEF CON and
use up your three days here, you know, sitting at a laptop trying to figure that out.
So I went to Jeff and I said, you know, one of the really iconic parts of DEF CON is the
badge. And we keep it secret every single year.
And I go, I want to tell them about DEF CON 22's badge at DEF CON 21 so that they have
a year to prepare. And he didn't get back to me for a while. He said he had to think
about it. And he said, you know what, let's give them partial information. Let's give
them a little bit of information because next year's badge will be an electronic badge.
The games will be every bit as intense as they are this year and as they were last year
and the year before. But we want people to be able to get a sense of what's going on.
We want people to be able to get exposure to the tool chain and the chip and the architecture.
So we're also going to release a monthly blog that's kind of a mini how‑to on how to develop
or program for those of you who are just straight coders for what the badge will be next year.
We won't give you the details and specs on what it does.
I had prepared to announce what the architecture was today. However, I was told ‑‑ and
it was actually pretty exciting because it's a processor that is not yet released. And
I was going to be able to ‑‑
I was going to say, hey, we're going to be one of the first groups to get our hands on
this new architecture. I've just been told that based on their last engineering run they're
not quite sure they will be able to deliver chips to me in time to get next year's badge
produced. That being said, I've got to wait to tell you what that architecture is because
if they can't get me that architecture before next year, then obviously I can't do it.
So I can neither confirm nor deny that.
So I've actually kind of set a deadline that by December this year, if that information
hasn't been ‑‑ if they haven't told me that they can source that chip for me by
December, then I'm just going to pick a different architecture. And I can tell you that my
fallback architecture will most likely be an MSP430 or something in that series from
TI. So anyway, secret information, you're already ‑‑ see, it's kind of like my dock dump you guys have hacked into my dock dump.
And you're getting all my secrets and my information. So I'm going to have to go back and rethink
my security cycle, I guess. So here on the screen you'll see some of the CAD work that
was done for the Uber badge this year. And I normally use Altium for my design stuff,
for those of you who are familiar with the tool chain. But I wanted to use software that
would be able to be accessible for free to everyone. So all of the badges this year were
actually designed on the free version of Eagle. And for those of you who do design work, you
know that's like slamming your nuts in a door. So I'm going to show you how to do that.
It wasn't fun. And I found some really cool errors in Eagle. Like there's an error that
comes up occasionally that says too many pixels in the Y direction. What the hell does
that mean? It's like a PC load letter. And being a hacker ‑‑ oh, and it was also
in German underneath. So being a hacker, I took, obviously, my work
‑‑ I took my work. I took my work. I took my work. I took my work. I took my work.
And I rotated it because I wanted to see if there was too many pixels in the opposite
direction. There's not. I still don't know why I got that error because I couldn't reproduce
it just by ‑‑ because then, of course, you start reducing bit at a time to find out
where that extreme is, right? So this year's badge, the Uber badge specifically,
is an homage to my grandfather. My grandfather was a watch maker. He told me that when he
was in the military, he was a watch maker. He told me that when he was in the military,
in watch making school, they would basically hand them raw metal stock and they had to
make a watch. That included making the screws, the springs, the case, everything.
Since this is something I just started doing since last DEF CON, I didn't have that level
of skill or the equipment to do that. So I ordered some of the parts preassembled but
then assembled those parts. For those of you familiar with watch making, I couldn't possibly
do the hairspring to the balance.
If you look at the graphic that's on the bottom there, most mechanical watch movements
only have five main components. And I had this whole cool spiel prepared to show how
we could map security and hacking as a ‑‑ and using the watch to move that forward. Then
I decided I can't share that with you yet because it will ruin some of the badge challenge
that is happening this year. But if you go across the bottom, you've got,
basically, a main spring and then your gears to transfer the energy from the main spring.
Then you've got your balance wheel and your escapement, which control how that energy
is released. So that's kind of like your firewall. And then at the end, the five and
the six are displayed to show you the time. So all of the glass that's on the Uber badge
is an actual ‑‑ there are actual watch crystals on them on the front and the back.
I don't know. Can you hear this?
So it's really hard to sleep when you have 30 of these ticking in your room.
And I'm getting to the point now where I've just started blocking the noise
out because I've been working on these for so many months. All the time. So there's some
of the movements out with the PCB on top on one of my desks. Thank you. It's somebody
clap.
.
Yeah, they were just a little bit of work. So all of them were hand assembled by myself
for the Ubers. And that's why I can only do the Ubers like this, because there's no
way I could possibly get 15,000 badges done for all you guys. Sorry. There's a few more
pictures, and I'm going to leave that one up there for a minute in case anybody is participating
the badge challenge because I thought they might want to get a picture of the code that's
on the back there. Jeez, you guys are quiet. This is DEF CON. You know, the people that
are new here, you're supposed to make noise and yell at me and throw things and yeah,
thank you. This is not Black Hat. I mean, this is not an infomercial or a trade show.
There we go. What's that? Are you done? No? Yes? Ten seconds.
By the way, the copper that's underneath the solder mask doesn't quite show up in the picture.
Just FYI. Some of you may have noticed that on your own badges. There's some ‑‑ well,
we'll get to that in a minute. So one of the other things we did this year, more variations
on the badge than ever. So up until the time I started doing the badge design, we always
did here's your human badge, here's your press badge, here's your speaker badge, and there
was only one human badge.
I started, because I'm a masochist, I guess, doing multiple human variant designs to give
you guys some variety and flavor and it gave me more of a palette space for the crypto
challenges that I was creating for you guys. So this year, there are more ‑‑ I won't
tell you how many because that's part of the game is for you to figure that out. There
are more human variations than we have ever had.
In addition to that, there's us doing some of the sorting of badges to make sure that
when we distribute them ‑‑ there was a mixture because one year, last year, actually,
the registration desks were taking the boxes as they came in and, of course, even though
there were multiple designs, they came grouped together. So all of a particular badge were
going out like on Thursday and all on Friday and it prevented people from moving forward
in the game because they couldn't find the other variants. So we actually hand mixed
up all of the badges this year. Yeah.
So like I mentioned before, we have these things we call non‑human badges. You will
notice that all of the non‑human badges this year are, in fact, face cards with the
exception of one. That would be the press badge. The press badge is a deuce.
And for the slow kids in the audience, that
is my fuck you to the press. Oh, deuce, I get it. It's spelled differently.
So the one on your left is the vendor badge. That's why he has the bitcoin. The one in
the middle, you've got to kind of figure it out. But the base behind him is a GNL base.
So there's a little bit of a hint. So I added two new card types because no poker game would
be complete without the ability to get the hack hand. So I introduced the hacker card
and the crypto card in place of the two jokers. So now if you get the hacker, the crypto,
an ace and a king, you have the hack hand in your playing hand. So the intent there
was to add some variation to other card games and things like that. By the way, those of
you who have purchased some of those data, you can use the link in the description to
download the decks. They came with two hackers in them because they did a misprint because
everything I do seems to get screwed up in production somehow. We actually got the crypto
cards printed and overnighted and we have them. I'm going to have them in my 1057 room.
So if you bought one of those decks, bring it in there, show me the deck and I will give
you one of those crypto cards. So there's your hack hand.
It's a limited number. I think we made like 2,000 or something like that. So there's not
very many. In fact, if you guys like them, we may just do a blank run for next year.
So big things in store for next year. So I've already been talking with Neil and we've
been talking with DT. We think we've got a theme picked out. I won't release what the
theme is. But I was very excited that Jeff actually gave me permission to talk about
it. To tell you guys that we're going to release information about the badges. And it feels
kind of wrong and kind of dirty to be breaking tradition like that that we've been doing
this for so long. But I also think it's time to move forward on some things. And just
like in the security field, if we don't continue to innovate and move forward, we'll stagnate.
And I think that's starting to happen in some areas. So I really think we need to push the
envelope. And I hope that's what we do here at DEF CON and I hope that's what all of you
do when you go back and start working with us.
I hope you go back to your respective schools and places of business. So thanks. People
are finally clapping for me. Yeah, come on. Innovate. Aren't you guys tired of shit being
broken? Come on. So if you take a look at your badges, some of them, not very many,
but some of them are four layer boards, not two. And I won't tell you which ones they
are. But they are the ones generally ‑‑ the
general populace badges are a two‑layer PCB with exposed copper and a solder mask.
And were designed in Eagle. The artwork could be done as vector art in free program like
Inkscape. So technically the entire process of fabricating your own creation, which is
what I'm hoping to inspire you to do, those of you who have never even thought of it,
you can go download free tools and basically crank out a circuit board like the one you
have around your neck.
A circuit board, which is what they are. Printed circuit boards, PCBs. Maybe. There
may be other things. It's copper. You can solder to it. Just because it doesn't look
like a pad doesn't mean it might not be. So anyway, you guys like them? You enjoy
your badges?
Wow!
shipped for us!
That was a fun day!
You guys are awesome guys!
guys make the con for me. You do. I put a crap ton of work into the stuff that I do.
It's a unique challenge to design cryptography puzzles that are designed to be broken with
a temporal space of about three days. For smart people like you, because you're all
smarter than I am, and you are, I'm just like this retard in my closet with a soldering
iron and coding, and I slap stupid crap together and I come here to DEF CON and I barf it all
on to you guys and you guys go and you actually solve this stupid crap that I put out there
every year. And I'm amazed. And I'm amazed every single year somebody solves a piece
of the puzzle in a way that I had not even thought of. And that's why this is a hack
con. That's why these are my people. That's why I can come here and do stupid crap like
that and not have to justify myself.
This is my one time of year this is my one time of year I can go in a large group
like this and not feel like that duck or I have to explain my T shirt or I have to explain
I did what I did. And I hope you all feel that way, too. And for you guys that are new
to DEF CON, everything that I do in these contests is designed to make you interact
with each other. Because I know most of us tend to be stuck.
It's introverted based on personality types that gravitate towards certain fields.
I have a background in mathematics, I'm used to looking at my own shoes.
I encourage you to talk to each other.
You have an icebreaker around your neck.
You have an excuse to say I haven't seen that bad jet, can I see that?
In order to see that, you have to be close to someone, you have to interact.
I encourage you to do that.
I also encourage you to do that because it makes solving the puzzles easier and it's
actually impossible to solve the puzzles this year without looking at other people's
badges.
The same thing was true last year and the year before that.
Because to me the most important thing that comes out of DEF CON are the relationships
that are built here that then produce other fruits that might not otherwise be out in
the world.
Because I think there's too much wrong with what's going on.
There's too much wrong in security.
We've seen a lot of bad stuff coming out in the news lately.
And you all understand, we're odd.
We're the odd folks.
If you go out and you think about the average IQ of somebody on the planet, it's kind of
frightening.
So anyway, I'm glad you're all here.
Welcome to DEF CON 21.
You're going to have to be more lively than this for your other speakers.
This is just the opening ceremonies, but the speakers here enjoy it.
You'll have speakers up here.
If you have a speaker that will be drinking while they present, they're going to want
to talk to you.
And if somebody starts talking bullshit in one of their speeches, call them on it.
That's why we're here at DEF CON.
Welcome.
Have a great time.
Do I release the hounds now?
What do I do?
You guys want to hear the TSA security story?
So I hand carried the Ubers and several of the badges and I had them in a box wrapped
up and duct tape shut with black duct tape.
Probably not the best choice.
And I took it in my carry-on because there's no way in hell that I'm going to check this
because this is real glass.
These will break.
So I check the box.
It's going through the X-ray machine and the lady is looking at me.
She looks at the screen.
She looks back at me and I see her eye kind of raised and she looks back at the screen
and then they do the whole call someone else over.
According to Bruce, the security theater began.
The curtain rose and act one started.
So the TSA had another gal come over and look at the screen and, of course, then they pull
it out the other side of the X-ray.
Sir, is this your bag?
Yes, it is.
Would you mind ‑‑ because it was in a box inside of my carry-on.
So she goes, I'm going to take it out.
I was like, go ahead.
Please be careful.
It's fragile.
.
So ‑‑
.
So ‑‑
So don't ever tell TSA something is fragile.
Because they take that to mean explosive, I guess.
I don't know.
Because, you know.
So they open up my bag and once you open the bag, then you can start to hear the ticking
noise that's going on.
TSA doesn't like little boxes wrapped in black duct tape that tick.
That show up with extreme amounts of metal in the X-ray.
Not good.
Especially when there's a big fucking skull on it.
.
It was fun and I'm glad I made my flight.
How's that?
And consequently, that's not the first time this has happened to me coming to DEF CON.
I've had the mystery boxes declared as bombs at least four separate times coming to DEF
CON.
And we've had hotel security here as people competing in the mystery challenge years,
carrying these metal boxes with mercury tilt sensors on them.
So they're balancing them very precariously.
Because if they tilt them, the box begins to wail because I'm a jerk.
.
I'll give you this one and then I've got to let you go.
I had these thick steel boxes that were made out of a tube.
And they had locks on the top and bottom.
And I put the mercury tilt switch inside so they couldn't tilt the box, but they had to
pick the bottom lock first.
So they've got these big-ass heavy boxes that they can't tilt and they have to go up
through the bottom.
So you've got people holding these boxes that weigh like 50 pounds over the head of some
guy who's underneath trying to pick the lock from the underside.
And so here's security walks by and here's these guys holding the box and we've got this
guy on the ground.
.
And there were blinking lights on the outside, looked like a bomb.
So anyway, yeah, those are the kinds of stories that I will never forget about DEF CON.
Anyway, thank you very much.
Have a great conference.
